From: Patrick McHardy <kaber@trash.net>
To: Holger Eitzenberger <holger@eitzenberger.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [OOPS PATCH 1/1] netfilter: fix OOPS in flush_expectations()
Date: Fri, 11 Oct 2013 15:35:41 +0100 [thread overview]
Message-ID: <20131011143539.GA5276@macbook.localnet> (raw)
In-Reply-To: <20131011140440.339579297@eitzenberger.org>
On Fri, Oct 11, 2013 at 04:02:05PM +0200, Holger Eitzenberger wrote:
> This is the initial report I got:
>
> [ 2886.953175] BUG: unable to handle kernel paging request at 00100100
> [ 2886.956435] IP: [<f88a4ab8>] flush_expectations+0x68/0x85 [nf_conntrack_sip]
> [ 2886.956435] *pde = 00000000
> [ 2886.956435] Oops: 0000 [001] SMP
> ...
> [ 2886.956435] Pid: 5606, comm: red_server.plc Tainted: G O
> 3.3.8-79.g20f5c30-smp 001 Astaro AG ASG/i845GV-W83627HF
> [ 2886.956435] EIP: 0060:[<f88a4ab8>] EFLAGS: 00210246 CPU: 0
> [ 2886.956435] EIP is at flush_expectations+0x68/0x85 [nf_conntrack_sip]
> [ 2886.956435] EAX: 00000000 EBX: 00100100 ECX: 00000000 EDX: effdc0a0
> [ 2886.956435] ESI: 00100100 EDI: 00000001 EBP: 00000001 ESP: f5c0bd54
> [ 2886.956435] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> [ 2886.956435] Process red_server.plc (pid: 5606, ti=f5c0a000 task=f5da2a20 task.ti=efc62000)
> [ 2886.956435] Stack:
> [ 2886.956435] f490b948 00000001 00000197 f45f4f00 f88a5918 f5c0bde0 f5c0bddc 0000001c
> [ 2886.956435] 00000014 f88a72a8 0000015d f5c0bddc 00000001 f88a472e f5c0bddc f5c0bde0
> [ 2886.956435] 00000001 00000197 00000014 f490b948 f45f4f00 f88a72a8 00000197 00000001
>
> Which is due to nf_conntrack_expect.lnode hlist entry not being reset
> to NULL after being removed from the list in hlist_del(), but instead to
> LIST_POISON1. And because of this hlist_for_each_entry_safe() does
> not terminate correctly.
>
> Therefore change nf_ct_unlink_expect_report() to use __hlist_del()
> instead.
We should be holding the conntrack lock here and in flush_expectations(),
Not sure what I'm missing here, but if locking were used correctly, this
shouldn't be happening.
>
> Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
>
> Index: linux-stable-3.8.y/net/netfilter/nf_conntrack_expect.c
> ===================================================================
> --- linux-stable-3.8.y.orig/net/netfilter/nf_conntrack_expect.c
> +++ linux-stable-3.8.y/net/netfilter/nf_conntrack_expect.c
> @@ -51,7 +51,7 @@ void nf_ct_unlink_expect_report(struct n
> hlist_del_rcu(&exp->hnode);
> net->ct.expect_count--;
>
> - hlist_del(&exp->lnode);
> + __hlist_del(&exp->lnode);
> master_help->expecting[exp->class]--;
>
> nf_ct_expect_event_report(IPEXP_DESTROY, exp, pid, report);
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-10-11 14:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 14:02 [OOPS PATCH 0/1] netfilter/sip: fix OOPS in flush_expectations() Holger Eitzenberger
2013-10-11 14:02 ` [OOPS PATCH 1/1] netfilter: " Holger Eitzenberger
2013-10-11 14:35 ` Patrick McHardy [this message]
2013-10-11 14:53 ` Holger Eitzenberger
2013-10-11 15:09 ` Patrick McHardy
2013-10-11 20:37 ` [OOPS PATCH 0/1] netfilter/sip: " Pablo Neira Ayuso
2013-10-12 5:58 ` Holger Eitzenberger
2013-10-12 8:55 ` Patrick McHardy
2013-10-12 10:11 ` Holger Eitzenberger
2013-10-14 13:46 ` Holger Eitzenberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131011143539.GA5276@macbook.localnet \
--to=kaber@trash.net \
--cc=holger@eitzenberger.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).